On Thu, Jun 23, 2022 at 05:33:32PM -0400, John Levine wrote:
> Kind of. I use the same key for all of the certs for the many names
> that each of my mail servers have so I have one TLSA record and a lot
> of CNAMEs. That's probably bad practice for some reason but whatever.
Actually, I'd say that TLSA record CNAMEs are a fine practice. If the
underlying servers in fact share the same key, then centralising the
TLSA record management in one place reduces the odds that you'd forget
to update one of them when the server key rolls over. Better a robust
well managed shared key, than lots of keys poorly managed.
Speaking of DANE deployment, today mijndomein.nl enabled inbound DANE
for 184k customer domains, making them the #3 DANE SMTP hosting provider
by MX-hosted domain count.
The total number of DANE SMTP domains is now 3.53 million. Yes, Gmail
and so MTA-STS probably has more users, but DANE has 2 to 3 orders of
magnitude more domains.
Looking at the top 15 MX hosting providers of DNSSEC-signed customer
domains the numbers are:
# domains hosting zone DNSSEC/DANE?
--------- ------------ ------------
2,322,925 google.com -
1,461,637 ovh.net -
1,249,420 one.com DANE
578,352 outlook.com -
279,564 hostpoint.ch DANE
194,551 googlemail.com -
185,512 mijndomein.nl DANE
172,483 infomaniak.ch DANE
167,874 argewebhosting.nl DANE
156,585 transip.email DANE
139,405 aftermarket.pl DNSSEC
115,664 hostnet.nl DANE
110,050 mailprotect.be -
107,427 domeneshop.no DANE
98,172 loopia.se DANE
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
